john spurlock 2004

"canonicalization" for 1000, alex

The recent authentication exploit is generating some bad press for that software company in redmond.

Now I'm not going to say that handling "canonicalization issues" is easy, mapping urls to local system paths is a tricky problem, there are plenty of similar problems with other web apps and frameworks. And I also can't believe that this wasn't anticipated by someone in that vaunted microsoft QA army.

In the long run, though, I think that this might actually serve to highlight the flexibility and resiliency of as an agile (buzzword alert) system. The exploit doesn't have to be a show-stopper because the framework is extremely extensible - the recommended fix is literally one line of code in one file. How much cleaner can you get?

This surgical fix is possible because opens itself up for extension and modification at practically every conceivable point in the whole request-response process - not an original idea necessarily, but one that is proving to be extremely helpful in "future-proofing" modern applications (see the hyper-pluggable eclipse architecture in java-land for a non-web example).

So I'm giving MS credit where it's due on this one, is not going away anytime soon.